1. Technical Field
The present invention relates generally to network communications and in particular to routing mechanisms for Internet communications. Still more particularly, the present invention relates to a method, system and program product for providing Network Address Translation within an Internet communication operating via IP security (IPsec) protocol.
2. Description of the Related Art
Network Address Translation (NAT) was developed in response to the declining number of available Internet Protocol (IP) addresses (currently maxed at less than 2^32) as more and more people are desiring to have access to the Internet. NAT is a method of connecting multiple computers (or machines) to the Internet (or any other IP network) using only one IP address. With the number of available IP addresses decreasing each day, the usage of NAT becomes not only desirable, but necessary.
With NAT, one machine is designated as a gateway/router. This machine will have a physical connection to the Internet. All the other machines are connected to this machine using private IP addresses. Private IP addresses are special IP addresses that are reserved for this purpose. These addresses are also called non-routable addresses as these addresses are not routed through Internet. Because of this, these addresses can be re-used as long as they are not directly connected to the Internet. The NAT gateway/router acts as a proxy to these addresses. The machines behind the NAT gateway will have private addresses and when communicating with the Internet, the machines send the data to the NAT gateway. The gateway performs the necessary address transaction to route the packet to the correct destination.
The gateway machines operate on the IP packet-level. NAT utilizes the gateway machine to manipulate the headers of IP traffic to provide packet routing between the internal machines of the local network and the Internet.
In addition to NAT, another development in IP technology is IP Security protocol (IPsec). IPsec is a security addition to the IP protocol that enables security and privacy to TCP/IP communication. IPsec is a suite of protocols that seamlessly integrates security features, such as authentication, integrity, and confidentiality, into IP. Using the IPsec protocols, an encrypted or authenticated path can be created between two peers (or Policy Enforcement Points). This path is referred to as a tunnel, and results in the creation of a virtual private network (VPN). Each peer is a device, such as a client, router, or firewall, that serves as an endpoint for the tunnel.
One common security mechanism utilized by IPsec is Internet Key Exchange (IKE), which is a set of procedures that IPsec-enabled devices utilize to transfer security keys required for encryption/decryption of the communication's content. Tunnels based on IKE are referred to as IKE tunnels. IPsec can be used in a gateway-to-gateway configuration or a client-to-gateway configuration or a combination of both. Traffic between the IPsec peers rides in a virtual “tunnel,” which both verifies the authenticity of the sender and the receiver and encrypts all traffic. In gateway-to-gateway IPsec, the tunnel endpoints are the external (Internet-facing) interfaces of the virtual private network (VPN) gateways.
One drawback with IPsec is that it does not work within the NAT configuration, which is widely utilized on current IP networks. Conversely, although NAT works well for most network communication applications, NAT does not work well with communications established by the IPsec protocol.
IPsec encodes ID information (e.g., local and remote IDs—IP addresses, tunnel endpoints, etc.) in the packet during the IKE negotiation and data transfer. NAT manipulates the IP header addressing information which causes the IKE negotiation to fail.
For example, consider the network configuration of FIG. 1. The network comprises 3 machines, A, B, and C, two of which are linked via an external network connection (e.g., the Internet). Machine B operates as a gateway/router machine, which provides connectivity functions to the external network for other machines. Machine C is connected to machine B and communicates with the external network via machine B. Machine B performs the NAT operation for machine C. Machine B is configured to forward packets to machine C following the NAT operation.
According to current IP operation, machine A is only aware of machine B's IP address. IPsec encryption and authentication may be needed from machine A to machine C if a secure communication path is desired between both machines. As provided by FIG. 1, machine A has IP address A. B. C. D., wherein A. B. C. D. represents valid Internet address, as will be clear to those skilled in the computer arts and machine B has IP address A. B. C. E, which is also a valid Internet address. Machine C, however does not have a public/routable IP address because it is not directly connected to the Internet. Machine C has a private interface address, which in the illustrative example is 192.168.1.10. Machine C connects to the Internet through machine B using NAT. The second interface of machine B (i.e., the local interface seen by machine C) is illustrated with IP/interface address 192.168.1.1, which is within the subnet of machine C and hence can communicate directly with machine C.
FIG. 2 illustrates a sample packet transmitted via IPsec protocol. As shown, packet 201 includes header 203 and encrypted data portion 205. Header 203 contains the IP headers (i.e., destination and source addresses and ports), utilized by NAT to route packets. Encrypted data portion comprises the encrypted data, as well as the IPsec IDs (i.e., destination and source IP addresses and ports). Encrypted portion 205 of packet 201 is generated by IKE and IPsec protocol.
When an IKE tunnel is to be established between machines A and C, machine A defines the desired IKE tunnel with endpoints defined as A. B. C. D. (A) to A. B. C. E. (B). Machine A sends the IKE negotiation packet to machine B, which has local and remote IKE tunnel IDs as A. B. C. D. (A) and A. B. C. E. (B). This information is within the packet's data portion 205 and not in the header 203 and so machine B (the NAT router) is not able to change (or translate) it with NAT. Rather, machine B changes the source and destination addresses within the header to route the packet to machine C. When machine C receives the packet and looks at the IDs, machine C discovers that none of the IKE tunnel IDs matches its ID (interface address 192.168.1.10) and consequently machine C will fail the IKE negotiation.
Previously this problem was solved by terminating (i.e., defining the endpoints of) the IKE tunnel at the gateway or placing the IPsec module outside the NAT. Moving the tunnel end point to the gateway increases the tasks of the gateway and could create problems with thoughput. Further, the traffic inside the network will be readable/visible and this may pose a security risk. Lastly, compromising one service in the gateway could bring down all the services provided by the gateway.
Clearly, taking the IPsec authentication and other security features outside the NAT defeats the advantages of NAT and would require extra IP addresses to provide secure communication with local machines, such as machine C. However, there are no methods currently available that work with NAT without manipulating the IPsec software or modifying the IKE protocol itself.
The present invention therefore realizes that it would be desirable to provide a method and system for efficiently enabling secure IPsec tunnels within NAT without compromising security. A method and system that enables NAT to establish an IPsec communication with a correct local machine accessible via a gateway implementing NAT would be a welcomed improvement. These and other benefits are provided by the invention described herein.